d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Tools
  • Seeds/Roots
  • Subs
  • Favicon Analysis
  • Port Analysis
  • GitHub Dorking
  • Screenshotting
  • Subdomain takeover
  • Automation++
  • Frameworks
  • MISC (to be cleaned up)
Edit on GitHub
  1. Bug Bounty

Tools

PreviousPlatforms

Last updated 2 years ago

Tools

Highly inspired by .

Seeds/Roots

  • crt.sh

ASN Enumeratiom

  • bgp.he.net

  • Asnlookup

  • Metabigor

Reverse WHOIS

  • whoxy.com

  • DOMLink

Ad/Analytics Relationships

  • (also available as Firefox addon)

  • getrelationship.py

Google-Fu

  • Copyright text

  • Terms of service text

  • Privacy policy test

Subs

Linked and JS Discovery

  • Burp Suite Pro (or ZAP Proxy?)

  • GoSpider

  • hakrawler

  • Subdomainizer

  • subscraper

Subdomain Scraping

site:twitch-tv -www.twicht.tv
site:twitch-tv -www.twicht.tv -watch.twitch.tv
  • Amass amass enum ...

  • Subfinder v2

  • github-subdomains.py

  • github-search (unstable -> run multiple times)

  • shosubgo

  • Cloud Ranges (scan all AWS, Azure, etc. check SSL certs for "target")

Subdomain Bruting

  • Massdns

  • Amass amass enum -brute -d twitch.tv -src

  • aisdnsbrute

  • shuffleDNS

  • altdns

Wordlists

  • all.txt

  • AssetNote -> commonspeak2

Favicon Analysis

  • favfreak

Port Analysis

  • Nmap

  • masscan (faster than Nmap)

  • dnmasscan

  • Brutespray

GitHub Dorking

  • github-search

Screenshotting

  • Aquatone

  • Eyewitness

  • httpscreenshot

  • WitnessMe

Subdomain takeover

  • can-i-take-over-xyz

  • Nuclei

  • SubOver

Automation++

  • interlace

  • Tools by TomNomNom (eg httpprobe, mage)

Frameworks

S-Tier

  • Bunty.offensiveai.com (paid)

  • Scout (paid)

A-Tier

B-Tier

C-Tier

MISC (to be cleaned up)

  • WebScarab

  • Recon-ng

  • GitRob

  • OnlineHashCrack.com

  • idb

  • Wireshark

  • Bucket Finder

  • Race the Web

  • Google Dorks

  • JD GUI

  • Mobile Security Framework

  • Ysoserial

Sublist3r

Knockpy

HostileSubBrutforcer

The Bug Hunter’s Methodology Jason Haddix @jhaddix
crt.sh | Certificate Search
Shodan Search Engine
Home - Censys
builtwith.com
GitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testers
GitHub - guelfoweb/knock at knock4
GitHub - nahamsec/HostileSubBruteforcer
AssetNote
SpiderFoot
Project Discovery Framework
Jaeles (scanner)
Osmedeus
reNgine
Findomain Monitoring Service
Rock-ON (A One-Shoot Killer)
Automated Reconnaissance Pipeline
LazyRecon
Automated-Scanner
OneForAll
Chomp Scan
domained [archived]
Sudomy
Gorecon - lightweight Reconnaissance Tool [NO LONGER MAINTAINED]
TugaRecon
Photon
bountyRecon
recon
Recon-tools
AutoRecon
Hunter
ultimate_recon.sh
st8out.sh
CyberChef